Indignation is the immediate response if you suggest to any computer user that they should be given a licence to use their PC only if they pass a test. Why is this?
When someone crashes a car on the motorway, naturally, our first response is to utter words of sympathy: "Oh, hope they're not hurt..." - but what we're actually …

Restricted information appliance

So when will we admit that it isn't a blow against the Electronic Freedom Foundation to say: "Unlicensed users can use secure browsers on restricted 'information appliances' for surfing. But anybody who wants to run a machine that can be compromised has to demonstrate a minimum competence"?

I've often though that the solution is to simply release a few old school virii into the wild - ones that render infected machine inoperable, and require a re-install. Not only will this decimate botnets, it would also make the affected users think twice about securing their machine next time they re-install windows.

There is a salient difference here...

...in that I do not believe anyone has been killed and left in a blood-soaked heap when someone else clicked on a phishing email.

Guy's argument is basically that if we are protecting people in our society from others in cases of -direct- threats - being run over or run off the road - that it makes sense to protect them from -indirect- threats - having a slower connection or getting lots of spam.

It makes sense for the government to safeguard citizens from direct threats to life and limb.

Guy says that this means it makes sense for the government to safeguard citizens from third- or fourth-degree threats against some vague potential inconvenience that might possibly have a financial impact.

Perhaps one should have to take a license test before writing a column.

Right idea - wrong tests

"Do they know how to find and eliminate malware? No!"

Very few computer users even know how to detect that their computer is running malware, let alone find the malware in question, let alone eliminate it. I think you've just banned well over 99% of the population from using a computer.

"Are they running up to date anti-virus software? No!"

AV software is security theatre. If you don't want to get infected, you need to change your behaviour, not soak your machine in disinfectant and keep your fingers (legs?) crossed.

"Could they actually detect a fault in their security package? No!"

Crikey! I suspect that only a few hundred people on the whole planet have reverse-engineered the major AV products in sufficient detail to detect faults in them, and they are probably the ones writing the malware in question.

I propose a simpler test: Anyone who normally runs their computer with an administrative account should be defenestrated.

Surely a more secure computer is better

Trojans will still have limited use because you can't get a user to stop it. You can stop hiding the extension, however (MS thinks this is too scary for people, though. I've always wondered why they say "FLI file" when they don't know what the feck runs an .fli file, but there we go) and this will reduce it. You won't get "britney_spears_muffshot.jpg.exe" being clicked on.

Stop macros being so powerful would help with opening word documents (though you shouldn't be opening them unless you know who they are from: showing all headers will show if it's been faked).

IE comes OUT of the OS. Use an HTML renderer and give a standard API for it. Some people can change the POS IE html for something that's a POS in a different way.

When you become admin, you can see anything that's going on. That includes DRM files that are hidden from ANY view unless you boot into linux! You can see then whether your disk is disappearing because your machine is storing KP. The computer should only get in your way when it's telling you something, not when you're trying to find something out. You don't have to be admin.

Some of the "help" MS did was to make computers less scary. But all they've done is let people who don't WANT to learn about how it works use it and, in the process, stop them

a) learning

b) finding out what's gone "wrong"

For those who don't want a complicated life, an OS that's reduced in functionality is fine. E.g. the only access to the internet is through a web browser and email. If that's not good enough for you, get something "scary" and learn how to use it.

Dumb People require Dumb Terminals.

@ mad clarinet

...some of the people I have to deal with shouldn't be let anywhere near a computer.

Same here. It's frightening really what some people clearly don't understand. Even more frightening are those who have no understanding, but think they are experts. Those kind of people are truly dangerous.

The technology is there

``Most important, can we design a sandbox PC, which does what most of us want (visiting Facebook, managing photographs and videos and music, searching the web for news and chat) but which can only run other software when recognised by the ISP which provides our web link?"

There is no need to `_design_ a sandbox [sic] PC.' The technology to achieve your goal already exists to some extent in the form of Trusted Computing. A Trusted Platform Module (TPM) can attest to the systems state. An ISP can then decide as to whether this state is suitable. The problem, of course, is too many states exist. If, however, an ISP subscription included a laptop (or PC) which it maintained remotely (as part of its service package) then the state would be known and this solution would be viable.

Poor

PC's are mqarketed/sold/presented as consumer appliances. Ever watched a PC World advert ? And I suspect the selling of security applications are seen in the same way as the 'extended gurantee' scam.

The car analogy is poor. You are forgetting that in 99% of cases the user is the *victim* of a crime - not a perpatrator. You are entering the murky realm of 'contributory negligence' at best.

Sure - it would be nice to turn the net back to the time it was the province of a handful of geeks and university students but .... aren't you the same Guy Kewney who wrote a long ranty article about the time his PC broke and he forgot to save his document ? Or was that Guy Goma ?

Mixed metaphor

You cannot compare a driving test to a computer competence test. If you behave badly on the road, you may well kill someone. If you allow your PC to send out enlargement e-mails then you may annoy a few people.

The real problem

With the rate at which legislation progresses, a high-powered computer would currently be rated as one running above 500Mhz with over 100 Megabytes of RAM and a hard drive measured in Gigabytes.

I could get behind taxing ISPs of people who haven't taken an internet safety course, but this again risks the illusion of safety. Having a standard list of ways to tell if a link is phishing for instance would be begging a phisher to come up with a site which passes this test because even more sheep than usual would trust it.

Certainly something should be done

In my university, anyone can walk in and plug their laptop (or even desktop) into the university network and, once the MAC has been registered, is free to do as they like. However, if your computer has one of a number of network spreading or botnet-zombie viruses detected on it, it's cut off until you prove it's infection free. They'll even help you reinstall it, if you want. Surely an ISP can do similar? I know that there'll be arguments of personal responsibility, and economics, but it hurts ISPs as much as the rest of us when a botnet strikes.

As for a secured browser, I've long thought that it might be worth having bank websites only respond to a certain type of secured browser, above and beyond the little padlock icon, in order to prevent phishing.

Sarbs-Oxley compliance

Bonkers

Utterly bonkers.

Utterly unpolicable.

There's so much wrong with this idea, practically and ideologically it's difficult to know where to begin. If you want to have a free internet, suggesting that massive government oversight of all users is the way ahead suggests that you regard freedom and security to be in perfect correlation, with security as the driver.

Presumably licenses would be revoked for catching a virus (aargh ! One click and that's my software business ruined !), it's the spammers that the ISP would send the bill when your 1p per email limit is breached and it would all be run by a benign and completely competent goverment organisation.

Vehicle Class

Driving licenses require different tests for different vehicle classes. Do you propose a similar system based on some aspect of the equipment being used for net access? Would that be hardware? Operating system? Browser? Email client? Something else?

What if I build my own system or write my own software? Would the knowledge required to do this exempt me from any such testing or would everything I built and wrote have to go through some sort of 'networthiness' test? This all sounds like a bureaucrat's wet dream but I don't think the public or the ISPs would wear it.

Bloody Well Right!

Computer competence tests are something I've advocated in one form or another for most of my professional career thus far, some 12 years.

How many companies would improve their performance and morale, leaving the IT crew to get on with the important stuff (working on improving things rather than firefighting) if their staff were all competent to one decent, professionally competent level.

A lot of people would fail a common sense test and of course there will be those who complain about human rights being infringed.

I could start on about how people should pass a test before being allowed to breed, as that would be a more useful step in improving society.

Maybe missing the point...

One might be missing the point that it isn't a perceived threat nor inconvenience to the user that the author is debating - rather the addition of the users computer to a botnet that can be used again more significant (read valuable) targets.

I'm sure no one here is suggesting that people should be licensed simply so they can prevent a small and usally completely insignificant inconvenience to themselves (as if they cared/noticed I'm sure they would take it upon themselves to do something about it if it were a significant enough problem) as this would obviously be down to them. However, their participation (willing or otherwise) in botnets, etc. is something that needs to be addressed or at least discussed as evidenced by the massively increasing frequency and organisation behind this style of attack (mallicious or otherwise).

ISP Ownership + PC MOT tests

Any PC on the ISP's network that is "doing bad things" should have their connection redirected into a sandbox. The user would then be required to submit the machine to an MOT style test - is it fit to be connected to a public open network (road worthy). This check is chargeable, and any "repairs" are also chargeable. If the machine was not "doing bad things", then the ISP must pay compensation.

All machines must have a annual MOT test (just like cars).

All People must have a proficiency test, could be an on-line or VOIP test, to ensure they understand how to "drive safely", "perform routine maintenance" and fix basic problems "change a wheel". This could be taught in schools, like cycling proficiency - teach them when they are young, before they get any bad habits.

What "doing bad things" means in reality is open to discussion - but would be acting as a bot, spamming, spreading malware, etc. It would not be using P2P apps, or playing games.

ISP's would need to be regulated by an organisation with teeth who are not afraid to punish.

There are lots of problems implementing such a scheme, and maintaining it, but just because something is hard to do does not mean we should not try.

re: Restricted information appliance

"I've often though that the solution is to simply release a few old school virii into the wild - ones that render infected machine inoperable, and require a re-install. Not only will this decimate botnets, it would also make the affected users think twice about securing their machine next time they re-install windows."

Good idea in theory...

Sounds like a good idea in some people's cases (a mate of mine phoned me up a few months back after discovering his PC had 'suddenly' contracted over 350 viruses. Not long after, the hard drive practically vaporized itself, he's had something like 6 complete reinstalls over the last year).

Maybe it would be simpler to build a control into the OS rather than having a licence. After so many stupid occurrences a message could be displayed to the user, along the lines of:

"Your computer has experienced a serious problem - you. Please pack the machine and all related peripherals into the original packaging and return to the original store, where they will provide you with an appropriate replacement system (pencil, paper and an abacus)"

What an odd comparison

Why compare driving a car to owning a computer? Will someone die if you walk away when a program is running? That's then you might need training - something like an air traffic controller for example. Someone checkign emails? Who cares?

People who care will look after thier systems, people who don't will moan about how slow thier systems is and end up paying someone to sort it out.

Licence to run a computer,, geez. Next you'll be saying you need one to own a mp3 player to ensure you understand copyright issues...

It's only getting worst (and less free)

In five years time users will connect through voice or portable devices. There will be even less awareness of security because of the originating metaphor of the telephone.

At the same time, if TelCos hold their control as they do nowadays, those mentioned restrictions could apply simply because they are already built-in by design and nobody complains about that.

I guess the problem is that, in IT, we always looked to translate one experience to another, how many times I heard:Internet <--> Freedom of Expression which does not fit very well, especially now that the Internet has become a commercial workplace.

As for users being held responsible: I do not agree. A car is simple to start and drive. The same should be for computers and their security tools. The fact is that we use mediocre technologies and the level of complexity of modern OSes is rarely understood by their creators themselves. Not that I would go back to the Speccy but... Well 48Kb seemed so much to me!!

Think before you speak

If clever people really want to do bad to dumb people, all you can do is slow them down e.g. signature based AntiVirus is often like shutting the stable door after the horse has bolted, you also need dynamic anti-intrusion software.

Damn right liberty matters, we need all the liberty we can get in this insiduous Socialist police state, with self-censored media

Yes, we need them!

Licensing is not a viable (or vaguely intelligent) solution!

A very partisan and elitist opinion. There is much truth in what you say, but in pandering to your sites demographic, you have comprehensively failed to address the ramifications of your suggestions. A restriction on computer use would result in the stagnation of the technological development that has resulted from the proliferation of PCs across the World. Much fewer and more expensive Killer Apps' would be available, game and CGI development would never have been able to proceed to the levels that they have now due to more archaic technology and higher cost due to fewer sales. Think of the impact of cost and logistics on schools and universities. Also, bear in mind that many of the malware that untraps these less "non-IT industry" mere mortals was written by highly talented, if unscrupulous, software engineers who will just work harder to entrap the brave new breed of licenced users. What is needed in not legislation to stop less talented people from using information technology, but for a worldwide consortium that REALLY takes ownership of problems such as botnets, ID theft and viruses, while relentlessly persuing and prosecuting the perpetrators. Anything else is pure fantasy. If you don't like it, stay beardy, fire up that old 386, and log on to Usenet.

Re Sarbs-Oxley compliance

Matt wrote "As part of our SOks compliance all users in the company now have to do a "data protection" test."

Same here - and they add the "if you're found to be willfully ignoring this advice then you're sacked/prosecuted" type notes too - just to ram the point home.

Here's a thought for SteveB/BillG etc - if we have to endure the "Take a tour of Windows XP", why not similarly force users of new installs to take a basic "this is how to operate safer" presentation, (please no flames about MS supplying such a presentation - I run Linux too). And for all those folks who have to reinstall their OSs (journo's etc) just add a small tick-box on the install process that says "Skip security presentation" (default=no). If you're smart enough to want to reinstall, then it's likely that you should be smart enough to know what's good operating procedure.

Or another approach - have your new system operate in a very restrictive mode from day one and then only open up as you show that you need more capability. After all, my ZoneAlarm firewall supposedly watches what I do and then figures out settings accordingly, so I'm just asking for the OS to follow this idea.

@Ken Hagan: I'd willingly give up Admin rights on my XP system if there was someway to "su" when I needed to. Yes, I know I could probably have a separate "Admin" account and use that for software installs, but unfortunately there's a lot of XP programs that just plain fall flat on their ass if you use a non-privileged account. I like Debian's approach in this.

Lastly, what worries me (slightly) is that with more stuff being net connected that these bot nets might - at some point - be used as a vector for cyber terrorism. Hack a 777 and threaten to drive it into the ground, etc. In which case if we all operate with a bit more savvy then, as Guy says, we'll all benefit from a better environment.

Oh that's easy

"Why does my office have signs on the fire extiguishers : "Do not use these fire extinguishers to hold the fire doors open" ?"

It's because some idiot decided that, because fire doors should always be closed after use, they should not have any way to latch them open during use.

Then, when normal use turns out to involve leaving them open for a few minutes to load or unload heavy stuff by hand, people use the nearest heavy weight that's to hand. Which turns out to be the fire extinguisher.

In other words, it's a consequence of proscription without proper thought towards need. You see it every day in any sufficiently large organization.

Then to "fix" the problem they put stickers on the fire extinguishers but again fail to provide a solution to the *actual* problem of the doors not having latches or wedges provided.

It's at this stage that it all seems not so much a lack of foresight but a lack of any kind of sight at all.

The ISPs are the obvious place to apply the charge: several already monitor data volumes and so already have the technology to bill the correct user despite the use of dynamic IPs. Doing the same for outbound e-mails should be easy enough to implement and difficult for miscreants to dodge: simply count outbound e-mails and add the total cost to the monthly bill.

@Computer test or common sense test (or both)

I have always had a good idea for a common sense test...

You take somebody in to a canteen and get them to choose a hot meal of their choice. The person serving them puts the plate on to their tray and says, "Be careful, the plate is hot." If the first they do is touch the plate then they fail. Simple!

Computer Licence?

I've long held the opinion that people should have to pass the following basics of being able to use a computer before they are allowed to purchase one:

1. Be able to set up an email account from scratch

2. Be able to install and uninstall a program from a PC

3. Know what a web browser is

4. Know how to add and remove a printer

5. Know the difference between POP3 and IMAP accounts

6. Understand what an SMTP or outgoing server is

I've heard the horrendous howls of the left wing "do-gooders" chanting that this is an elitist view; how many of these people have honestly had to walk people who have no clue beyond how to turn on the computer through the 10 or so minutes to set up an email account which if they had the above skills they would be able to do it inside 2 minutes?

Every day I deal with this and let's not even begin to pretend to understand the amount of people who want to register a domain and have a web site but don't even have basic skills or understand what FTP is or how to write a web site and it's just getting worse. The next person who calls asking me for assistance to upload a site using MS Publisher should be publicly flogged and have the wounds scrubbed with peroxide and steel wool.

Yes, I agree that licensing would take away a large segment of the economy supporting these 'idiots' and their ineptitude to do the basics but I have other things to do over the course of the work day asides from "hand holding and nappy changing". Some of these things that I would be freed up to do would be, chasing users who regularly breach disk quotas, follow up on outstanding accounts and developing documentation.

Irrespective of what your opinion is on this subject; the matter is a problem and one that I believe that must be addressed. It's not an easy subject but one that needs to be tackled all the same.

Oh my

And you seemed like such a reasonable gentleman when you were on the telly discussing Ipods and such.

Now you're just a mean man who wants to stop anyone who isn't like him from accessing the internet.

Of course - similar requirements for a blogger ... sorry journalist would be useful. The ability to construct a rational and logical argument rather than pandering to an elite group's inflated sense of their own expertise/importance would be a start.

Missing the Point

I agree with Mark on this; any restriction on internet use would simply drive the majority of people off the Net, reducing its value as an advertising and marketing platform (thats its main function now), this would drive up the cost of internet access for those still using it.

Sounds like a good idea, but not in this universe

The problem with this idea, nice as it would be, is that creating, administrating and enforcing a "computer licence", particularly a multi-layered one akin to vehicle licences, would need a huge amount of government bureaucracy. This would be, by its very nature, so incompetent, corrupt and oppressive that the problems it would create would dwarf the problems it would attempt to solve, which it would probably fail to solve anyway. See also: eugenics (or "birth licences").

"Excuse me sir, Intertube Licence Enforcement Division. No sir, we don't need a warrant, we're like the RSPCA in that regard, and if you don't open this door within five seconds any fines we levy against you in the near future will be doubled."

"Do you have a computer sir? Good, may I see your licence? Good, email licence, internet licence, commenting on El Reg licence... hmm, you don't seem to be licenced for Team Fortress 2, sir. No, that's a Class B1 licence sir, that only permits you to play as the Soldier, Heavy or Pyro, and your Steam account clearly shows 3 hours of playtime as the Spy. I'm going to have to ask you to come with us down to the station, sir. Anything you say will be used against you, and anything you don't say, i.e. encryption keys, will also be used against you. Evening all."

Easy way to test users

There is an easy way to test users: develop malware the sole purpose of which is to report the numpties who infected themselves with it. Then go to the ISP and explain to them that these people are too stupid to be allowed on the net.

Interesting...

Well, first up, attack the idea, not the analogies he uses to explain it.

Secondly, this all sounds very similar to the NetPC idea I heard being batted around at the turn of the century. I believe it had limited local storage, and the applications and data were stored remotely and downloaded before running.

Java was in there somewhere too.

It seems to me this would be the "secure information appliance" you're looking for as all the user's activities could be monitored and controlled remotely.

Victims

Most people are actually victims of their computers, it's just they don't know it.

Many laws are framed with a criterion of reasonableness - such as "would a reasonable person expect to know if their computer was being used to help crack the launch codes of ICBMs" Of course the answer is yes - get these morons off the net.

Crumpets

You appear to be saying that spam is the result of people sending too many CCs from their email accounts.

"Surely, if ISPs limited CC emails to 20 a day and charged 1p per email CC thereafter, most spam would dry up?"

Surely because most spam is sent by large botnets, then it just means that lots of different people in different locations would be hit by the equivalent of a phone-scam charge, which inevitably would have to be absorbed by the ISPs. Meanwhile the botnet owners continue to do their thing.

Or, do you mean that because the ISPs would charge per email, then they will be obliged to shoulder more responsibility for it travelling along their pipes, and hence put more effort into making it legitimate and secure???

I'm confused. Hopefully not as much as you appear to be, but quite possibly.

A smidgeon of good idea masked by a rant.

Somewhere in that article was a good idea. Hidden amidst the bureautopian plan for living-by-numbers, Guy mentioned the long prophecied "internet appliance" (well, he actually called it an "information appliance" -- very techno-utopia 2.0).

The fact is that now is the time for the web appliance. A truly stable version of Firefox will do 80% of what users need. Stick it on a screwed-shut Linux box with stable versions of OpenOffice.org and Thunderbird, and a decent media player and 99% of the world would be happy with it.

That assumes a stable version of Firefox OOo and Thunderbird, but those are possible, if the OSS community really wants to do it. Or we could use Opera instead -- that's pretty stable.

"Stable", you say? Doesn't that limit future growth? Yes, but a £200 fire-and-forget internet appliance could, if pushed properly, increase the internet user-base by 10-20% and steal 10% of the upgrade market. That big a slice of the market would force major websites to cater for non-IE browsers. It would stabilise the entire internet (if people can't just "click here to download plug-in X", the proliferation of plugins and mutually incompatible websites would cease) and would provide serious reasons for the computer giants to start adding value with new releases, rather than adding pointless bells and whistles and imposing artificial obsolesence on perfectly serviceable systems.

But it's not going to happen, because no-one has the will for it -- which kill the goose that lays the golden egg?

If public service bodies were forced to justify using general-purpose computers rather than "internet appliances", we could guarantee a good initial uptake. After all, the PC in your public library is probably only ever used to browse the net and occassionally to word-process letters or school reports. Save money on computers and spend it on books. Similarly, approximately half of school computers will only be used for the same thing. Save the computer budget for the computing department and the techy design department, please.

A public-sector drive for efficient use of computing resources should instantly force vendors to produce more sensible machines -- who'd want to miss out on a market that big? Then they'd be mad not to sell to the public -- economy of scale and all that.

It's possible -- it's so near that I can smell it -- but I think that we're again going to pass up on the chance to make a positive change....

License everything that's dangerous, will you?

A trickly question

Originally my thought was yes, users should have to get a license to use a computer, after dealing with hundreds of people who clearly should not be allowed to use a computer.

Then I started thinking ...... Is it actually the users fault that their computer is infected with malware and currently being used as part of a botnet attack on a large business to extort money from it?

Common sense keeps keeps you infection free, like not clicking on the Free Viagra emails or clicking ok on dialog boxes that say things like "Press OK to close this dialog box" (how many times do I have to tell my users to always use the damn upper right hand cross to close anything that looks fishy) Some people (alot) don't have common sense, and there is not really much we can do about that.

Why do we have operating systems (Microsoft *cough* *cough*) that automatically run anything, allow processes to hide themselves and have "allow all" as a default security rule? Why do we have e-mail clients (Outlook Express *cough* *cough*) That automatically download files, run hidden scripts and generally execute things that should not be able to execute? Why do we have any web browsers (Internet Explorer *cough* *cough*) that allow ANYTHING executable on a web page to be secretly downloaded onto a computer and executed?

Why don't we just get ISP's to issue fines for every spam e-mail relayed from a computer, for every flood packet sent out and any malware that is distributed. That would stop user ignorance to the problems their computers are dishing out. If they have to pay then they will learn about security quick enough

2 other problems as i see it

Even if all the questions asked could be answered, I think there are a couple of major flaws being overlooked when controlling access to sites/services online:

1. It would cripple innovation. How can the next facebook* be successful if 'limited' users can't access it without first being authorised by their ISP/security software?

2. People would want to 'unlock' their experience. And this would feed the market for cracked software/machines/ISP accounts. And in those circumstances, those users would then be more at risk of hackers than they are at the moment.

* I use facebook as an example based on it's rise in popularity, not on what I personally think about the site ;)

Another tax?

Me no like this way of thinking.

Testing would cost someone money. Me in fact. And you. If it were introduced it would be run by somebody with fairly close links to No. 10, so you can expect your taxes to spent either implementing it, or at least running "focus groups".

Yes there is a problem, and yes it will cost money to fix it. I personally would prefer the root of the cause gets charged tho. I use Windows at work, I use it at home, but damn it has its issues. If it weren't designed by ppl whose metric of decency is "how pretty is it?" then it could be a decent OS, but no. It asks, nay begs, to be compromised and abused. The problem(s) lie firmly at the door of a company that happily sold a product that isn't fit to be networked.

Multi user OSes have existed for what? 40-50 years now? And MS still can't make a simple one that doesn't require n layers of 3rd party protection to even *hope* you can check your mail without needing a reinstall.

The basic fact is that ppl are stupid. That's why we have ABS, seat belts, crumple zones, air bags etc in cars - we *know* someone will make a mistake and so we try to mitigate that by making the safest cars we can. Why isn't our most popular (or should that be common?) OS the same?